A good friend emailed me the other day to ask if I thought using Tor's network and software is truly as secure as everyone thinks. My immediate reply was no, I don't think Tor or any other so-called anonymizing service is truly secure. If you want absolutely anonymity, don't use the Internet.
No service or product can claim to give you absolute privacy or anonymity. Here are six good reasons why.
[ The Internet is not secure, but Roger Grimes has some ideas for a separate, supersecure network. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Reason No. 1: Your location is traceable
Everyone on the Internet has an IP address, be it public or private. Ultimately, that address, along with upstream logs, can be used to identify you. Ask nearly any computer security criminal charged with a felony.
Some clever folks think they can play interesting tricks to make their originating IP address less obvious. For example, many cyber criminals use wireless networks not owned by them (at a coffee shop, a neighbor's Wi-Fi, and so on). They still get caught.
This is nothing new. In 1995, Tsutomu Shimomura tracked down notorious hacker Kevin Mitnick by following triangulating wireless signals to modem connected to a neighbor's house. Hundreds of child pornographers get caught each year who believed they were safe because they were using someone else's network and source IP address. This defense isn't new and rarely works in the real world when the cops decide to get serious about finding you.
Reason No. 2: Your cloak has holes
What about the anonymizing services? Oddly, many of the services and programs that guarantee you privacy have never undergone serious penetration testing. In fact, not just the anonymizing options, but security software in general is full of exploit holes. I don't mean a few -- I mean dozens to hundreds of holes.
Years ago, one of the penetration-testing teams I was working with was hired to go at a popular AV vendor's virus scanner. We found hundreds of easy-to-exploit holes. The same can be said for encryption software.
Phil Zimmerman of the legendary Pretty Good Privacy program has moved on to encrypting VoIP and cellphone transmissions. Zimmerman is one of the world's foremost encryption experts, and he designs some of the best encryption products, including a product called Silent Circle, an encrypted email service with military-grade encryption that shut down Friday. He's also one of the world's most passionate privacy experts -- one of the few who actually faced a treason charge over his support of that Fourth Amendment freedom.
In short, Zimmerman is the type of guy you want designing privacy software, but even he has a hard time keeping bugs out of his products. At the end of June, it was reported that an open source library Silent Circle relies upon was found to have multiple security flaws. Plus, here's what one reviewer found in February. Keep in mind that Zimmerman is one of my heroes, and in my opinion, his products are less likely to have issues than competing products.
Read one of my recent columns, and you'll learn that the governments of the world have tens of thousands of undisclosed bugs they can use to break into computers at will. Don't trust security software to protect you completely.
Reason No. 3: A password is still a password
The weakest link in most security software isn't the code. It's usually the password protecting the private keys. Most privacy and encryption software asks the user to input a password to protect the private key material that it used to encrypt and protect communications. For example, the Pretty Good Privacy program will ask you to type in a password to protect your public/private key pairing. It will even advise you what is and isn't considered a strong password.